Michael Smith, CSIRT director at Akamai, attributes the drop to users scanning their own systems immediately after finding out about the bug. The tapering off could be indicative of more effective patching, or a clear assessment of affected devices already being performed. However, Smith wasn't completely sure this was the case.

“But it [the drop] also reminds me that correlation is not causation,” Smith said in an interview with SCMagazine.com. “Although it indicates that might be what's happening.”

The same was also seen in the unique payload attacks per day. On Sept. 27, the number peaked at 20,753. A day later, it was down to 15,071.

“It's more difficult to exploit the bash bug, but if you're successful, it can be more severe,” said Ben Feinstein, director of operation and development for the Dell SecureWorks Counter Threat Unit, in a Thursday interview with SCMagazine.com

If an exploitable device is found, attackers can execute commands, whereas with Heartbleed, a successful attack could turn over information, such as passwords or encryption keys, wrote Dennis Dwyer, senior security researcher for the Counter Threat research team, in an email correspondence with SCMagazine.com. Attackers can use recycled script, for instance, but ultimately, finding those devices proves difficult. This could become an attack deterrent.

Still, compared to Heartbleed, the level of expertise required to exploit Bash is significantly less, which could make it attractive to attackers. Some experts expect the attacks might dwindle, though.

“Potentially, people have completed their scans and learned what they wanted to learn,” Dwyer said. “There will always be threat actors out there exploiting the Bash vulnerability, and it will slowly taper off over time.”